From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 99FA0153F9B4; Thu, 4 Sep 2025 12:57:35 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 99FA0153F9B4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1756979855; bh=vEIzMb5LeVMCEXUmQwlIpXeDMx1ILIfSm/8FxY+vRuw=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=jTk9zIpdBCBA5sWsGffG+gkuoaNo0gf+K0ld3vQWb2skZFF8QosYrsWRKM1NxQSPp vQ/IsuA9Yj4Cf4iB/CReKlgFQGy3NxLeucJG7g2eC6z6cCCTSwQX2i5zoqTeUmjEt0 1XRK8JVU/tUcPdRLPPmDD6FdgOWM+i8T3qr8xd44= Received: from send128.i.mail.ru (send128.i.mail.ru [89.221.237.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id D2D5C54D081 for ; Thu, 4 Sep 2025 12:57:33 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D2D5C54D081 Received: by exim-smtp-68c6b975cf-mrmpk with esmtpa (envelope-from ) id 1uu6ii-00000000G8U-3aJ8; Thu, 04 Sep 2025 12:57:33 +0300 To: Sergey Bronnikov Date: Thu, 4 Sep 2025 12:58:19 +0300 Message-ID: <20250904095819.6791-1-skaplun@tarantool.org> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD9506C28FC7AAC9D530D0A432E5D1553639091B086AE69333100894C459B0CD1B92E0FB6196A84DD82479CDAE959BF64242CD25CF11345ED42CF0E3B90790B639F83F5067A33008722 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7A179494B5629353BEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375661181B46645DEA2CB5464844D67FE4499C98583B05BBB527205351DC0E289384B389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C084ED00A64A654CBE8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6E232F00D8D26902CA471835C12D1D977C4224003CC8364762BB6847A3DEAEFB0F43C7A68FF6260569E8FC8737B5C2249EC8D19AE6D49635B68655334FD4449CB9ECD01F8117BC8BEAAAE862A0553A39223F8577A6DFFEA7C837C4FEFBD186071C4224003CC83647689D4C264860C145E X-C1DE0DAB: 0D63561A33F958A5DBA623EC3ED3A5685002B1117B3ED696758E20CA03757009957033528158102E823CB91A9FED034534781492E4B8EEAD4ADCFBF7921B375DC79554A2A72441328621D336A7BC284946AD531847A6065A17B107DEF921CE79BDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D341E08D7EE1804B763EB20D5D722D80CEA1033162B20DE5E6A6DF6D312E32CE2D62C2BC2C623C83EED1D7E09C32AA3244C3AF2B3CE985212DA77DD89D51EBB77429E6F1A01ED65255DEA455F16B58544A2557BDE0DD54B3590A5AE236DF995FB59829709634694AABAED6A17656DB59BCAD427812AF56FC65B X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVXNcwk+fZooKq6sLBXZ0C3s= X-DA7885C5: 8EA24ED3ACB70150F255D290C0D534F9A26E79613F897E201806F5602A883ED3348D6A7BBDFAE4E65B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393FE9E42A757851DB630533500AA706E15CE0DD8BD124BE0E747B9CCDBFF19F452E49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit] Invalidate SCEV entry when returning to lower frame. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Thanks to Zhongwei Yao. (cherry picked from commit 65c849390702b1150d52e64db86cbc6b3c98413e) When returning to the lower frame, LuaJIT does not clear the Scalar Evolution analysis entry. Hence, this may lead to its invalid usage in the next function called if the IR references match. The further analysis is invalid and may lead to the assertion failure. This patch invalidates the ScEv entry IR reference index when returning to the lower frame. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#11691 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1115-invalid-scev-entry-lower-frame Related issues: * https://github.com/LuaJIT/LuaJIT/pull/1115 * https://github.com/tarantool/tarantool/issues/11691 src/lj_record.c | 1 + ...15-invalid-scev-entry-lower-frame.test.lua | 69 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua diff --git a/src/lj_record.c b/src/lj_record.c index 1dd22dac..ba409a61 100644 --- a/src/lj_record.c +++ b/src/lj_record.c @@ -898,6 +898,7 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults) emitir(IRTG(IR_RETF, IRT_PGC), trpt, trpc); J->retdepth++; J->needsnap = 1; + J->scev.idx = REF_NIL; lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot for return"); /* Shift result slots up and clear the slots of the new frame below. */ memmove(J->base + cbase, J->base-1-LJ_FR2, sizeof(TRef)*nresults); diff --git a/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua b/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua new file mode 100644 index 00000000..47bc87ae --- /dev/null +++ b/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua @@ -0,0 +1,69 @@ +local tap = require('tap') + +-- Test file to demonstrate LuaJIT's incorrect Scalar Evolution +-- analysis for recording of return to a lower frame. +-- See also: https://github.com/LuaJIT/LuaJIT/pull/1115. +local test = tap.test('lj-1115-invalid-scev-entry-lower-frame'):skipcond({ + ['Test requires JIT enabled'] = not jit.status(), +}) + +test:plan(1) + +local HOTLOOP = 1 +local HOTEXIT = 1 +local RECORD_IDX = HOTLOOP + 1 +-- Number of iterations to start recording side trace with two +-- iterations in the cycle. +local NITER = RECORD_IDX + HOTEXIT + 2 + +local function test_function(tab) + -- XXX: For reproducing the issue, it is necessary to avoid + -- UGET. Local functions use MOV and take the same IR slots. + local function trace_root(data) + -- Start of the trace, setup ScEv entry. + for i = 1, #data - 1 do + -- Start of the side trace by the hmask check. + if data[i].t == 'a' then + return i + 1 + end + end + -- Unreachable in this test. + return nil + end + + local function other_scev(data, start) + for i = start, #data - 1 do + -- The ScEv entry matches the recorded IR from the parent + -- trace before the patch. It leads to the assertion + -- failure. + if data[i].t == 'a' then + return + end + end + end + + -- Record the root trace first. Then record the side trace + -- returning to the lower frame (this function). + local start = trace_root(tab) + -- The ScEv entry is invalid after the return to the lower + -- frame. Record the trace with another range in the ScEv entry + -- to obtain the error. + return start, other_scev(tab, start) +end + +local data = {} +for i = 1, NITER do + data[#data + 1] = {t = 'a' .. i} +end + +-- Change the hmask value to start the side trace recording. +data[RECORD_IDX] = {} +-- Setup for the trace's return to the lower frame. +data[NITER - 2] = {t = 'a'} + +jit.opt.start('hotloop=' .. HOTLOOP, 'hotexit=' .. HOTEXIT) + +test_function(data) + +test:ok(true, 'correct ScEv entry invalidation for return to a lower frame') +test:done(true) -- 2.51.0